Dynamic web session clean-up

Abstract

A “sign-off” cookie is generated and stored upon initiation of a web session between a client and a web application executing on a server. The sign-off cookie preferably comprises both an identifier for the session (a “session ID”) together with an identifier (such as a URL) for a sign-off resource (associated with a sign-off mechanism) that can be used to clean-up the web session following its termination. The sign-off cookie may be returned to the client and / or retained within a proxy. Upon termination of the web session, the URL in the sign-off cookie is used to initiate a request to the sign-off mechanism to clean-up the web session. This approach provides for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism.

Description

[0001]This application includes subject matter that is protected by copyright. All rights are reserved.BACKGROUND OF THE INVENTION[0002]1. Technical Field[0003]This disclosure relates generally to web application security and in particular to a method and system for dynamic web session clean-up session using cookies that have been augmented to include sign-off resource URLs.[0004]2. Background of the Related Art[0005]When clients authenticate with a remote application, a session for that client is created on the web server. These sessions remain active until the client requests their destruction, which typically requires manual user intervention. Typically, there exists no standardized method to clean up sessions on remote servers without a static configuration that can map the session identity (usually contained within an HTTP cookie) to a sign-off resource for the session. HTTP cookies (see IETF RFC 2109) provide a way of managing sessions and state between web browsers and web se...

AI Technical Summary

Benefits of technology

The patent describes a way to clean up web sessions without needing to set up a specific mechanism in advance. When a user ends a session, a cookie is generated and stored. This cookie contains information about the session and a URL for a sign-off resource that can be used to clean up the session. When the session is ended, the cookie is sent back to the user or retained in a proxy. This allows for dynamic clean-up of sessions without needing to set up a separate sign-off mechanism.

Problems solved by technology

These sessions remain active until the client requests their destruction, which typically requires manual user intervention.

Typically, there exists no standardized method to clean up sessions on remote servers without a static configuration that can map the session identity (usually contained within an HTTP cookie) to a sign-off resource for the session.

A weakness of this approach is the requirement for manual configuration and dependence on a third party application or database to manage the sign-off operations.

Further, the described solution is not portable, and it cannot be extended automatically because only a list of statically-configured URLs can be invoked in the sign- off process until a new mapping of cookie-to-sign-off resource is manually added to the configuration.

One of the drawbacks of this approach is that new scripts have to be added for each proxied application matching all of the cookies for this particular proxied web server.

Moreover, depending on the type of proxying method used and how the cookie is stored in the web browser's cookie jar, these cookies may not be able to be deleted easily.

This approach can also require modifications to the proxied server's log off page, which can be quite intrusive.

Further, this approach does not address the situation where the logoff is not instigated from the browser (e.g., when the user session within a reverse proxy simply times-out).

A limitation of this approach, however, is that the cookies are destroyed by the proxy when the session is terminated, but this does not terminate any corresponding sessions in the backend servers.

This approach also is undesirable in that it does not allow cookies to flow back to the web browser during the user session.

Images